The present disclosure relates to Hypertext Transfer Protocol Secure (HTTPS) communications and in particular to the detection of a man-in-the-middle (MITM) that may be attempting to monitor communications performed using HTTPS.
As HTTPS deployment grows, middlebox and antivirus products are increasingly intercepting Transport Layer Security (TLS) connections to retain visibility into network traffic. When it comes to HTTPS, the security community is working toward conflicting goals. On the one hand, the security community is committed to hardening and ubiquitously deploying HTTPS in order to provide strong end-to-end connection security. At the same time, middlebox and antivirus products increasingly intercept (i.e., terminate and re-initiate) HTTPS connections in an attempt to detect and block malicious content that uses the HTTPS protocol to avoid inspection. The advent of Server Name Indication (SNI) and self-signed root certificates installed on managed workstations weaken the overall security of the transport layer and therefore weaken HTTPS.
SNI is an extension to the TLS computer networking protocol which allows a client to indicate which hostname it is attempting to connect to at the start of the handshaking process. This is different from the original specification of TLS in which the client does not reveal any information prior to receiving the server's identity. SNI therefore allows a server to present multiple certificates on the same Internet Protocol (IP) address and Transmission Control Protocol (TCP) port number. This allows the server to service multiple secure, e.g., HTTPS, websites (or any other Service over TLS) using the same IP address without requiring all of the sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. In SNI, the desired hostname is not encrypted which allows an eavesdropper to see which site is being requested.
In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. This term has nothing to do with the identity of the person or organization that actually performed the signing procedure. In technical terms a self-signed certificate is a certificate signed with the private key of the sending entity. In typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information).
Domain generation algorithms (DGA) are algorithms that may be used to generate a large number of domain names. Often used in malware, DGAs can be used to generate rendezvous points as command and control servers for botnets to receive instructions. The large number of potential generated rendezvous points makes it difficult for other actors such as, e.g., law enforcement, to effectively track or shut down botnets since infected computers will attempt to contact a different set of these generated domain names every day to receive updates or commands. The generation of these domain names may be based on a variety of algorithms and based around one or more seeds. Often DGAs generate domain names having a high level of entropy, e.g., an apparently random set of numbers and letters. However, these domain names may be generated according to a pre-defined criteria that may be repeatable by more than one computing device to allow each computing device to access the same domain name for command and control instructions. An example DGA may generate a domain name based on, for example, time based parameters such as year, month, and day. For example, the DGA may implement an algorithm that inputs the year, month, and day and performs mathematical operations on each of the year, month, and day to modify the values, e.g., multiplication, addition, bitwise operations, or other mathematical operations. In some aspects, the output of the mathematical operations for one or more of the year, month, and day may be converted into another form, e.g., hexadecimal, and may be combined to generate the domain name. In some aspects, even the combined value may be adjusted by further mathematical operations. The output may then be appended to an appropriate domain identifier, e.g., .com, .net. etc. to form a domain name. The generated domain name may then be output from the DGA and used.